News
OCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateReproductive Health Privacy Rule Partially Vacated: What Your Notice of Privacy Practices Must Say Now · Rule UpdateWarby Parker Fined $1.5 Million by OCR: What Retailers With Health Plans Must Know · OCR EnforcementHow to Respond to a HIPAA Breach — A Step-by-Step Guide · Data BreachHIPAA Breach Notification Rule — Complete Guide to What Triggers Notification and When · Data BreachHIPAA Breach Notification Overview · Data BreachHIPAA Compliance Checklist for Covered Entities — 2026 Edition · AnalysisOCR Passes 50 Enforcement Actions in 2026 — and Adds Parental Access to Its Target List · OCR EnforcementOCR Audit Preparation — Checklist and Evidence Map for HIPAA Investigations · OCR EnforcementPatient Rights Under HIPAA — A Practical Guide for Healthcare Providers · Rule UpdateThe HIPAA Security Rule Final Rule: $9 Billion Price Tag, 100+ Hospital Coalition Opposition, and What Actually Happens Next · Rule UpdateHIPAA Staff Training Requirements — What's Required, Who Needs It, and How to Document It · AnalysisHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000: What Every HR Department Must Know · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis: 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2: What Behavioral Health Providers Must Know · Rule Update15 Million Records Exposed: The MMG Fusion Settlement and What It Means for Business Associates · OCR EnforcementOCR Expands Enforcement to Risk Management: What Changed in 2026 and What to Do Now · Rule Update

Rule Update

OCR Director: The Cost of Doing Nothing Is Very High

TL;DR

OCR Acting Director Paula Stannard told HIMSS 2026 attendees that the proposed HIPAA Security Rule update is necessary because cyberattacks on healthcare organizations directly harm patients — delaying care, diverting ambulances, and exposing sensitive data. She rejected industry arguments that the proposed rule is too burdensome, arguing that the cost of maintaining weak security controls far exceeds the cost of compliance.

OCR Acting Director Paula Stannard told HIMSS 2026 attendees that the proposed HIPAA Security Rule update is necessary because cyberattacks on healthcare organizations directly harm patients — delaying care, diverting ambulances, and exposing sensitive data. She rejected industry arguments that the proposed rule is too burdensome, arguing that the cost of maintaining weak security controls far exceeds the cost of compliance.

OCR Acting Director Paula Stannard used her HIMSS 2026 address to defend the proposed HIPAA Security Rule update, warning that weak cybersecurity controls have enabled a wave of ransomware attacks that harm patients and that inaction is not a cost-free option.

medcomply.ai editorial teamPublished May 20, 2026Updated May 20, 20264 min read

OCR Acting Director Paula Stannard took the stage at HIMSS 2026 to deliver a pointed defense of the agency's proposed HIPAA Security Rule update — and to push back on industry critics who have argued the proposed requirements are too expensive and technically demanding for smaller healthcare organizations.

"The cost of doing nothing is very high," Stannard told the audience. "We have seen hospitals divert ambulances. We have seen surgeries canceled. We have seen patients harmed. That is the cost of the status quo."

Note

OCR's position: cyberattacks on healthcare organizations are a patient safety issue, not just a compliance matter. The proposed Security Rule update is OCR's response to more than a decade of rising breach counts and ransomware incidents.

Background: The Proposed Rule

HHS published a Notice of Proposed Rulemaking in January 2025 that would represent the first substantive update to the HIPAA Security Rule since 2013. The proposed rule attracted more than 4,000 public comments, many from hospital associations, small provider groups, and health IT vendors concerned about implementation costs.

The most contested provision is the elimination of the "addressable" specification category. Under current rules, certain safeguards are designated "addressable," meaning covered entities can choose not to implement them if they document a reasonable basis for that decision. The proposed rule would eliminate this distinction, making all implementation specifications required.

45 CFR §164.312(a)(2)(iv)

Other significant proposals include mandatory multi-factor authentication for all access to electronic protected health information, annual penetration testing and vulnerability scanning, network segmentation requirements, and more prescriptive incident response plan requirements.

"Not a Paperwork Exercise"

Stannard was direct about OCR's intentions. She framed the proposed rule not as a paperwork exercise but as a direct response to documented patient harm.

"We are not asking for binders and checkboxes," she said. "We are asking you to actually implement the controls that prevent ransomware from shutting down your hospital."

She pointed to high-profile incidents — including ransomware attacks that forced hospital systems to divert emergency patients and cancel procedures — as evidence that the current rule's flexibility has been exploited.

OCR views the flexibility built into the 2013 Security Rule as a bug, not a feature. The proposed rule is designed to close the gap between organizations that use "addressable" specifications to avoid hard controls and organizations that implement them seriously.

Industry Response

Trade groups including the American Hospital Association and HIMSS itself have urged HHS to reconsider some of the more prescriptive provisions, particularly mandatory penetration testing timelines and MFA requirements for legacy clinical systems that were not designed with modern authentication in mind.

HIMSS submitted formal comments arguing that a phased implementation timeline of at least two years would be necessary for many members, and that small and rural providers would need additional technical assistance and safe harbors.

Stannard acknowledged the concerns but indicated that OCR is not inclined to weaken the core technical requirements.

"We hear you on implementation timelines," she said. "We are less sympathetic to the argument that you should not have to implement multi-factor authentication because it is hard."

What Covered Entities Should Do Now

The final rule has not yet been published. However, OCR has made clear that it views the proposed requirements as reflective of current best practices — meaning that enforcement actions under the existing rule may increasingly benchmark against the proposed standards even before they become final.

Note

Practical implication: do not wait for the final rule. Organizations that begin closing gaps now — particularly around MFA, vulnerability management, and incident response planning — will be better positioned for both compliance and any OCR investigation.

Key steps to take now:

  • Audit your MFA coverage. Identify all systems that access ePHI and determine which do not currently support or enforce MFA.
  • Review your risk analysis. The proposed rule requires documented risk analysis updates whenever the environment changes materially. Many organizations have not updated their risk analysis since before the COVID-era shift to remote access.
  • Map your network segmentation. Determine whether ePHI systems are isolated from general corporate networks in a way that would limit the spread of ransomware.
  • Test your incident response plan. The proposed rule requires tabletop and technical exercises, not just a documented plan on a shelf.

The direction of HIPAA enforcement is clear regardless of when the final rule publishes. OCR is moving toward mandatory, testable controls — and it is treating cyberattacks that harm patients as a top enforcement priority.

Sources & citations

  • HHS OCR — HIPAA Security Rule NPRMOpen
  • HIMSS 2026 Annual ConferenceOpen
  • 45 CFR §164.306 — Security Standards: General RulesOpen
  • 45 CFR §164.312 — Technical SafeguardsOpen

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

What did OCR Director Stannard say at HIMSS 2026?
Acting OCR Director Paula Stannard used her HIMSS 2026 address to defend the proposed HIPAA Security Rule update, arguing that cyberattacks on healthcare organizations directly harm patients by delaying care and diverting ambulances. She rejected industry pushback that the proposed rule is too expensive, saying 'the cost of doing nothing is very high.'
What is the proposed HIPAA Security Rule update?
HHS published a Notice of Proposed Rulemaking (NPRM) in January 2025 that would update the HIPAA Security Rule for the first time since 2013. Key changes include eliminating the distinction between 'required' and 'addressable' implementation specifications, mandating multi-factor authentication, requiring annual technical vulnerability scans, and imposing network segmentation requirements.
Why is the HIPAA Security Rule being updated now?
The Security Rule was last substantively updated in 2013. Since then, healthcare has become a top ransomware target, with reported large breaches increasing 58% between 2017 and 2021. OCR's position is that the 2013 rule left too much discretion to covered entities, allowing organizations to avoid implementing critical safeguards by claiming they were not 'reasonable and appropriate' for their situation.
What are the most significant proposed changes to the Security Rule?
The most significant proposed changes include: (1) eliminating 'addressable' specifications so all safeguards become required; (2) mandatory multi-factor authentication for all access to ePHI systems; (3) annual technical vulnerability scanning and penetration testing; (4) network segmentation to limit the spread of ransomware; and (5) specific incident response plan requirements including regular testing.
When will the updated HIPAA Security Rule take effect?
The proposed rule has not yet been finalized as of May 2026. HHS accepted public comments on the NPRM through early 2025. A final rule has not yet been published in the Federal Register. Once published, covered entities and business associates will typically have 180 to 365 days to come into compliance.

Related intelligence

Rule Update

HIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means

7 min read

Rule Update

OCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement

4 min read

Rule Update

HIPAA Security Rule Final Rule: May Deadline Passes With No Announcement

5 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.